Solutions

Applications

Developers

About

English

Schedule a consultation

Back

Compliance

May 11, 2026

KSA Guidance Is Getting Stricter: Can You Prove Your Duty of Care?

Why this matters now


The Dutch Gambling Authority, the Kansspelautoriteit, recently published
additional guidance on how online gambling licence holders should carry out
their duty of care. The documents focus on two difficult areas in practice:
personal interviews with players and notifications related to possible
registration in Cruks, the Dutch gambling exclusion register.
That may sound procedural. In practice, it raises a much sharper question for
operators:


If a player shows signs of risk, can you prove that your organisation
responded properly?


Not in general terms. Not with a policy PDF. But with a clear record of what
happened, what information was used, what decision was made and why that
decision was reasonable at the time.
That is where many organisations feel the pressure.


The hard part is not writing the policy


Most regulated operators already have duty-of-care policies. They know when
a player should be contacted. They know when internal escalation may be
needed. They know Cruks exists. They know vulnerable players require
additional attention.

The harder part is execution.

A player hits a behavioural trigger. A customer support agent sees worrying
signals. A responsible gaming team needs to decide whether a personal
interview is required. A player may be advised to self-exclude. In some cases,
the operator may need to assess whether a Cruks notification is appropriate.
These are not abstract compliance moments. They happen inside real
customer journeys, often under time pressure, across different systems and
teams.
The risk is that the decision-making trail becomes scattered. One note in a
CRM. One email from support. One affordability check in a separate flow. One
compliance decision in a spreadsheet. Six months later, reconstructing the case
becomes difficult.
And if the regulator asks what happened, “we followed our policy” is rarely
the strongest answer.


From intervention to evidence


The recent KSA guidance does not just remind operators that interventions
matter. It also shows that consistency matters.
If two similar cases are handled differently, can the operator explain why?
If a player was allowed to continue, what evidence supported that decision?
If a personal interview was conducted, what was concluded?
If a Cruks-related notification was not made, why not?
These questions are uncomfortable because they sit between compliance,
operations and product design. They are not solved by one department.
A useful duty-of-care process needs at least four things:

  1. Clear triggers:
    The organisation needs to know which signals require attention. These
    may include age, deposit behaviour, losses, failed payments, previous
    interventions or requests to increase limits.

  2. Reliable checks:
    When extra verification is needed, the operator needs data that is
    accurate enough to support a decision. That may include identity checks,
    exclusion checks, affordability checks or source-of-funds information.

  3. A documented decision:
    The outcome needs to be recorded in a way that can be reviewed later.
    Not just the result, but the reason behind it.

  4. A customer journey that still works:
    The process must protect the player without turning every interaction
    into a slow, confusing manual review.
    That last point is often underestimated. A process can be compliant on paper
    and still fail in practice if it creates too much friction, too much manual work
    or too many unclear handovers.


    Affordability checks should not mean asking for everything


    Financial capacity is one of the most sensitive parts of duty of care. Operators
    need enough information to assess whether continued play is responsible,
    especially when thresholds or risk triggers are reached. At the same time,
    customers should not be asked to expose more personal financial data than
    necessary.
    That is where proportionality becomes important.
    A good affordability process should answer a specific question: is there
    enough evidence to support the next decision?It should not become an
    open-ended request for every detail of someone’s financial life.
    Bluem’s BudgetCheck was built around that principle. It supports different
    types of income documents, including payslips, annual salary statements, bank
    statements and tax income statements. It also gives the customer a choice in
    which document to provide, rather than forcing one fixed route for every case.
    That matters because customers differ. A salaried employee may have a
    payslip. A freelancer may not. A tax income statement may provide a broader
    view, but some customers will need guidance to retrieve the right document. A
    one-size-fits-all process creates drop-off and operational exceptions.
    The goal should be simple: collect enough verified information to support a
    responsible decision, without making the process unnecessarily intrusive.


    The compliance file is becoming part of the product


    For online gambling operators, duty of care can no longer sit outside the
    customer journey. It has to be part of the product experience.
    When a player reaches a threshold, the next step should be clear.
    When additional information is required, the reason should be
    understandable.
    When a decision is made, the organisation should be able to show the
    evidence.
    When a regulator asks questions later, the case file should not need to be
    rebuilt manually.
    This is not only about avoiding enforcement risk. It is also about running a
    better operation. Clearer processes reduce internal uncertainty. Better
    evidence reduces back-and-forth between teams. A more structured flow helps
    support teams treat similar cases consistently.
    In other words: good duty-of-care execution is not just a legal safeguard. It is
    operational discipline.


    What operators should review now


    The KSA’s recent guidance is a useful moment to review how duty of care
    works in practice. Not in a workshop, but in actual customer cases.
    Start with a few recent examples:
     A player who reached a deposit or loss threshold.
     A player who received a responsible gaming intervention.
     A player who requested a limit increase.
     A case where Cruks was discussed.
     A case where affordability evidence was requested.
    Then ask:
     Can we see why the case was triggered?
     Can we see which checks were performed?
     Can we see who made the decision?
     Can we see what the customer was told?
     Can we defend the outcome if challenged?
    If those answers are spread across multiple systems or depend on one
    colleague’s memory, the process is vulnerable.


    Where Bluem fits


    Bluem helps regulated organisations turn checks into workable customer
    flows. For gambling operators, that can include identity verification, Cruks
    checks, affordability assessment, source-of-funds support and documented
    decision flows.
    The point is not to add more friction. The point is to make the right step
    happen at the right moment, with the evidence stored properly.
    Recent KSA guidance makes one thing clear: duty of care is not only about
    having the right intentions. Operators need to show their work.
    Want to know whether your duty-of-care process would hold up under
    review? Bluem can help you map the weak points and design a cleaner flow.